Ubuntu
apparmor package

  1. Bionic (18.04)
  2. Bug #1780227
  3. Comment #16

Comment 16 for bug 1780227

Revision history for this message
Christian Brauner (cbrauner) wrote : Re: [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches

On Fri, Jul 27, 2018, 21:21 Stéphane Graber <email address hidden> wrote:

> Ok, thanks for the update. I've now updated the bug once again to move
> all the tasks over to the kernel. Can you attach the kernel patch here
> when you can, I'm sure some of the subscribers may want to test this
> ahead of the Ubuntu kernel fixes :)
>

Might make sense to cc Lennart as he has a stake in this too. :)

> ** Changed in: linux (Ubuntu)
> Importance: Undecided => Critical
>
> ** Changed in: linux (Ubuntu Xenial)
> Importance: Undecided => Critical
>
> ** Changed in: linux (Ubuntu Bionic)
> Importance: Undecided => Critical
>
> ** Changed in: linux (Ubuntu)
> Status: Invalid => Triaged
>
> ** Changed in: linux (Ubuntu Xenial)
> Status: Invalid => Triaged
>
> ** Changed in: linux (Ubuntu Bionic)
> Status: Invalid => Triaged
>
> ** Changed in: apparmor (Ubuntu)
> Status: Triaged => Invalid
>
> ** Changed in: apparmor (Ubuntu Xenial)
> Status: Triaged => Invalid
>
> ** Changed in: apparmor (Ubuntu Bionic)
> Status: Triaged => Invalid
>
> ** Changed in: apparmor (Ubuntu)
> Assignee: John Johansen (jjohansen) => (unassigned)
>
> ** Changed in: apparmor (Ubuntu Xenial)
> Assignee: John Johansen (jjohansen) => (unassigned)
>
> ** Changed in: apparmor (Ubuntu Bionic)
> Assignee: John Johansen (jjohansen) => (unassigned)
>
> ** Changed in: linux (Ubuntu)
> Assignee: (unassigned) => John Johansen (jjohansen)
>
> ** Changed in: linux (Ubuntu Xenial)
> Assignee: (unassigned) => John Johansen (jjohansen)
>
> ** Changed in: linux (Ubuntu Bionic)
> Assignee: (unassigned) => John Johansen (jjohansen)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1780227
>
> Title:
> locking sockets broken due to missing AppArmor socket mediation
> patches
>
> Status in apparmor package in Ubuntu:
> Invalid
> Status in linux package in Ubuntu:
> Triaged
> Status in apparmor source package in Xenial:
> Invalid
> Status in linux source package in Xenial:
> Triaged
> Status in apparmor source package in Bionic:
> Invalid
> Status in linux source package in Bionic:
> Triaged
>
> Bug description:
> Hey,
>
> Newer systemd makes use of locks placed on AF_UNIX sockets created
> with the socketpair() syscall to synchronize various bits and pieces
> when isolating services. On kernels prior to 4.18 that do not have
> backported the AppArmor socket mediation patchset this will cause the
> locks to be denied with EACCESS. This causes systemd to be broken in
> LXC and LXD containers that do not run unconfined which is a pretty
> big deal. We have seen various bug reports related to this. See for
> example [1] and [2].
>
> If feasible it would be excellent if we could backport the socket
> mediation patchset to all LTS kernels. Afaict, this should be 4.4 and
> 4.15. This will unbreak a whole range of use-cases.
>
> The socket mediation patchset is available here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4
>
>
> [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779
> [2]: https://github.com/systemd/systemd/issues/9493
>
> Thanks!
> Christian
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions
>